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A Trip into HTML5 


■ WebSockets background 

■ What makes them interesting 

■ What makes us worry 

■ What makes them better 
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Behold the Bidirectional Browser 



The WebSocket Protocol enables two-way 
communication between a client running 
untrusted code in a controlled environment 
to a remote host that has opted-in to 
communications from that code. 

\ Hrvtrvt,,* 
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Wonky Workarounds 


Forcing persistence on a non-persistent protocol with long- 
polling, cometd, etc. 

...often at the server’s expense of one thread/request 

...while dealing with the browser’s per-domain connection 
limit 

...and trying to figure out a magic polling frequency 
...just to know when the server has some data ready. 
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Speak to Me 


■ Simple structure for transporting bytes: RFC 6455 

■ WebSockets API describes the JavaScript interface 

— receive with websocket. onmessage () 

— send with websocket. send () 

— transfer a String, Blob, ArrayBuffer 

■ Tunnel arbitrary data 

- JSON, XML, HTML 

- images, video, sound 

- another protocol 
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WebSockets in Action 
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WebSockets Emulation 


■ web-socket-js -- The power of Flash’s raw sockets with 
the benefits(?) of Flash’s security 

■ sockjs-client — Pure JavaScript, choose your poison: 
long-polling, XHR, etc. 

■ Forcing HTML5 on a non-HTML5 browser 


ftOO 


Preferences Editor 


4^ Preferences Editor 


O Opera config#UserPrefs|EnableWebSockets 


©? ▼ Search with Yahoo! 


E) 
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WS = Works Superior 


■ Starts with an HTTP handshake 

- Transparent to proxies (well, it’s supposed to be) 

■ “ping” / “pong” frames for keep-alive 

■ Data frames don’t have HTTP overhead 

- No headers, cookies, authentication 

■ Data frames don’t have HTTP security 

- No headers, cookies, authentication 
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Handshake Challenge 


GET /?encoding=text HTTP/1.1 
Host: echo.websocket.org 
User-Agent: ... 

Connection: Upgrade 
Sec-WebSocket-Version: 13 
Origin: http://www.websocket.org 
Sec-WebSocket-Key: CjYoQD+BXC718rj3aiExxw== 
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Handshake Response 


HTTP/1.1 101 Switching Protocols 

Upgrade: WebSocket 
Connection: Upgrade 

Sec-WebSocket-Accept: c4RVZSknSoEHizZu6BKI3v 
+xUul= 


[ then the data frames begin ] 
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Us and Them 


Sec-WebSocket-Key: 
base64(16 random bytes) 


Sec-WebSocket-Accept: 
base64 (SHA1(challenge + GUID) 

■ Must finish the handshake before opening another 
connection to the same origin 

■ Success proves the endpoint speaks WebSocket 

- Does not prove identity or trust 
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Some Origin Policies 


■ Handshake includes Origin header 

■ User Agent should not establish plaintext WebSocket 
(ws :) from “secure” resource (https:) 

■ User Agent should minimize details for certain kinds of 
connection failures 

- “host/port scanning” 

- Still doesn’t affect tinning analysis 

■ Web Workers might use WebSocket objects 
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WebSocket JavaScript Object 




3^0 


Inspect: ws 


► 

► 

► 


► 

► 


CLOSED: 3 
CLOSING: 2 
CONNECTING: 0 
OPEN: 1 

addEventListener: function addEventListener() 
binaryType: "blob” 
bufferedAmount: 0 
close: function closeO 
constructor: WebSocket 
dispatchEvent: function dispatch Even t() 
extensions: ”” 
onclose: null 
onerror: null 
onmessage: null 
onopen: null 
protocol: MW 
readyState: 3 

removeEventListener: function removeEventListenerO 
send: function sendO 
url: M wss://the.wall/ H 

Update 


T WebSocket 

URL: "wss://the.wall/" 
bufferedAmount: 0 

► constructor: WebSocketConstructor 
onclose: null 

onerror: null 
onmessage: null 
onopen: null 
readyState: 2 

► _proto_ : WebSfccketPrototype 




function(evt){ 


} 
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Data Frame Details 


0 12 3 

01234567890123456789012345678901 

| F | R | R | R | opcode | M | Payload len | Extended payload length | 

1 1 1 s | S | S | (4) |A| (7) I (16/64) | 

|N|V|V|V| |S | | (if payload len==126/127) | 

I 1 1 1 2 1 3 1 I K | | | 

+-+-+-+-+-+-+-+ - + 

| Extended payload length continued, if payload len == 127 | 

| | Masking-key, if MASK set to 1 | 

+ - + - + 

| Masking-key (continued) | Payload Data | 

+- + 

Payload Data continued ... : 

| Payload Data continued ... | 

+ - + 
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Masking Data 


32-bit pseudo-random value, XOR byte by byte 

Prevent the browser from being leveraged for cross 
protocol attacks, cache poisoning 


WebSocket 


flags 

opcode 

mask-flag 

length 

mask 

frame_data 


0 


FIN 

text-frame 
1L 
37L 

OxbdccefeO 
’ \xe9\xa4\x8a\x99\[ 



81 |a5 bd cc ef eO e9 a4 8a 99 9a be 8a cO 
de a3 82 89 d3 ab cf 94 d2 ec 88 85 c9 ecL 96 8f 
c8 eO cf a2 dc be 8d 81 cf ad cl ce 93 


bd 

CC 

ef 

eO 

bd 

CC 

ef 

eO 

bd . . . 

e9 

a4 

8a 

99 

9a 

be 

8a 

cO 

de ... 

T 

h 

e 

y 

A 

r 

e 


c 
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Variable Lengths 


Decimal 

Length (7 bits) 

Variable Length (16- or 64-bit) 

1 

1000000 

n/a 

128 

0 111111 

00000001 00000000 

65535 

0 111111 

11111111 11111111 

65536 

1111111 

00000000 00000000 1 ... 

2 A 64 - 1 

1111111 

11111111 ... 11111111 

19 

1100100 

n/a 

19 

0111111 

11001000 00000000 

19 

1111111 

1 1 00 1 000 00000000 0. . . 
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Scapy Dissection 


class WebSocket(Packet): 
name = "WebSocket" 

fields_desc = [ FlagsField("flags", 0, 4, ["RSV3", "RSV2", "RSVl", 

"FIN"]), 

BitEnumField("opcode", 0, 4, _ws_opcode_names), 

BitField("mask_flag", 0, 1), 

BitField("length", 0, 7), 

ConditionalField(BitField("lengthl6", None, 16), 
lambda pkt:pkt.length == 126), 

ConditionalField(BitField("length64", None, 64), 
lambda pkt:pkt.length == 127), 

ConditionalField(XIntField("mask", 0), lambda 
pkt:pkt.mask_flag == 1), 

StrLenField("frame_data", None, 
length_from=lambda pkt:(pkt.Iength64 if pkt.length64 else 
pkt.lengthl6 if pkt.lengthl6 else 

pkt.length)) 

1 
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Data Frame Security Features 


0 12 3 

01234567890123456789012345678901 

+ - + 

| [ insert your protocol here ] | 

+ - + 

| *crickets* | 

+-+ 

| It is pitch dark. | 

| You are likely to be eaten by a grue. | 

+ - + 
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What makes them interesting 


Hacking with WebSockets 
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WebSockets in 


■ Micro-SCADA 

■ Web apps 

■ Cool games 

■ Mobile apps 
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Embedded Devices 


WebSocket server with PIC 
microcontroller allows control of 
electronics on the board from 
the browser 

4 port HDMI switch 
controlled by embedded I/O 
controller with WebSocket 
server running in embedded 
linux kernel 
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Other places 



http://labsocket.com/example.html 
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Current implementations 


RFC 6455 



□Autobahn|Python Tufao 



ia n 4 


resin 


Others 


libwebsockets 



j Web Socket 



apache-websocket 

pywebsocket 

WebSocket-Node 



0 QUALYS' 



23 


BLACK HAT USA 2012 


23 














User capacity 


■ For applications where persistence and full duplex is 
required, WS user capacity is similar to HTTP. Both limited 
to the number of concurrent connections, file descriptors, 
Cl OK? 

■ With more traditional uses WS is not the best solution 


HTTP WebSockets 



a a ^ ^ ^ ^ ^ ^ 


•< 
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Performance & bandwidth usage 


■ Good news here, if WS is not facing limitations of number 
of connections, it will outperform XHR/Long-Poll. 

■ WS handshake is done only once, and consecutive 
messages can have overhead of as low as 2 bytes. 

■No compression support by default 


WebSocket 

HTTP 



Header Overhead 
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Is there anybody out there? 


■ We wrote a QtWebKit-based crawler with overloaded 
WebSocket ctor; whenever it’s called - we get a record in 
the DB. As simple as: 


window._WebSocket = window.WebSocket; 
window.WebSocket = function(u, p) { 
c PP_a cce ssible_obj.ws_u r l = u; 
c PP_a cce ssible_obj.dumpToDB(); 
return new window._WebSocket(u, p); 

} 
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Ranges of the samples 


Not really... 


Distribution of AlexaTop 600K websites that use WebSockets 


I00K 
200K 
300K 
400K 
500K 
600K 



0 38 75 113 150 
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Details? 


■ 0.15% of websites use WebSockets 
on landing page. 

■ Less than 4% of captured 
WebSockets are using plain ws: 

- 95% of total WebSockets connect 
to a single vendor’s customer 
support chat system 

- among remaining 5%, less than 
1 % are using encryption 
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Ranges of the samples 


True picture is... 


Distribution of AlexaTop 600K websites that use WebSockets 


I00K 
200K 
300K 
400K 
500K 
600K 





5 



^ WebSocket instances found, excluding CS chat system 
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More details? 


A few websites are using WebSockets as news feed (e.g. 
one way communication) 

A few send away every mouse click and keystroke 
Q&A website with real-time updates 


More sophisticated UX reporting 

oV 7 


{ 


Us e 




Stock Price Push 


'k e 


Chat! 


^9 


o9 










* t~7 










i« 


y "- "^3 


d < 12, 835 ' 232 , 34 , 6 ); 


Jk9* 


; 


User.UserlD 


=507bcefOaa510038ef&transID=14 361944 3609 
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But why? 


■ Recently created, draft still changing 

■ Lack of educational resources 

■ No debugging tools 

■ Lack of browser support 

■ Hard to choose the right server 

■ Lack of scalability research 

■ Hard to setup wss: 

■ New things are evil 

■ No one cares 
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What makes us worry 


Hacking with WebSockets 


32 



(Don’t) Blame the Messenger 


■ WebSockets still fall victim to “old” threats 

■ WebSockets still have interesting things to 
discuss 
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Mixed content handling 


■ If you can sniff http : you can sniff ws: 

■ If you can intercept or inject you can overtake ws :/wss: 

■ It should be impossible to mix ws : with https : by RFC 
- only Firefox implements the policy 
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Denial of Service - Client 


■ WebSockets connection limit is different than HTTP 
connection limit 

■ Malicious content can exhaust browser by grabbing max. 
allowed number of WebSocket connections 

- . Yes, WebSocket is the first way to open an unlimited number of connections to a single 
server, so it indeed likely needs additional protection to prevent DOS attacks. 

But we don't really have a way to implement this correctly...” 

https://bugs.webkit.org/show_bug.cgi?id=32246 


Chromium 

Chrome 

Safari 

Fi refox 

Opera 



2970 


200 


900 


924 
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Denial of Service - Server 



■ Malicious content can create large number of WebSocket 
connections to victim WebSocket server 

■ Attacks like SlowLoris strive to maintain persistent 
connections thus draining server resources. WebSockets 
are naturally like that 
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Stability? 


Problem Report foe Safari Web Content 


Safari Web Content quit unexpectedly. 

This report *4i he sent to Apple aiaomjticaJty. 

► Comments 

Problem Details and System Configuration 


0x000000010f4f0047 
0x000000010f4eff0f 
0x000000010ff9ef85 
0x000000010ff9ecd4 
text*) + 244 
0x000000010ff9ea6c 
ebCore::KURL const&, 
0x000000010ff9e9f2 
ebCore::KURL const&, 
0x000000010ff9e87b 
0x000000010ff9db9d 
0x000000010fdbec0e 
0x000000010f5Id506 
0x000059a8c70011d6 
0x000000010f518c0a 


WTF::cryptographicallyRandomValuesFromOS(unsigned char*, unsigned long) + 119 
WTF::cryptographicallyRandomNumber() + 447 

_ZN7WebCoreL23generateSecWebSocketKeyERjRN3WTF6StringE + 341 

WebCore::WebSocketHandshake::WebSocketHandshake(WebCore::KURL const&, WTF::String 

WebCore::WebSocketChannel::WebSocketChannel(WebCore::ScriptExecutionContext*, 
WTF::String const&) + 76 

WebCore::ThreadableWebSocketChannel::create(WebCore::ScriptExecutionContext*, 
WTF::String const&) + 296 

WebCore::WebSocket::connect(WTF::String const&, WTF::String const&, int&) + 3233 
WebCore::WebSocket::connect(WTF::String const&, int&) + 29 

WebCore::JSWebSocketConstructor::constructJSWebSocket(JSC::ExecState*) + 466 
cti_op_construct_NotJSConstruct + 182 
0 + 98581428048342 

JSC:interpreter::executeCalKJSC::ExecState*, JSC::JSObject*, JSC::CallType, 


~ C 1 ” . 3 C f .O.^CjL j'C 

23 con.app\e.weoCo re 

24 con.apple.WebCore 

25 con.apple.weoCore 

26 con.apple.WebCore 

27 con.apple.Foundation 

28 con.apple.Foundation 

29 con.apple.CFNetwork 


- 

0■009609911*849441 

o^eoeoeoeiofobiocs 

0*009000010*974512 
0*009890019*974433 
0*0090 7 * f f 965e963e 
0*00907* * *96$e95be 
0*00907*f*0ee264*e 


webCore: jtrnotbocunentParser: :prepareToStopParsineU ♦ 167 
WebCore:tOocunentWriterssend I fNot Load ingMainllesou reel) ♦ 197 
webCore: ;franeLoader:; UnishedLoadiogn ♦ 72 
WebCore:iMainResourccloader::dldFlnishLeadlng<doublc) • 133 

_MSURLConrvectionDldf lnlshtoedinf_dlo<k_involie_l ♦ 122 

JISIMU. ConnectionDidFinishLoeding • 81 


UftlConnect ionCl lent: ;_cUtotOidFinithloeding(lMLConne<tionCl lent: sClientConnectiontvent Queue*) ♦ 296 
39 con.apple.CFNetwork 6x09907*f*8eed69le 


• if* i r.... 


. r 1 4 ... r..«. . . » A A 1 --* 4 




Hide Details 


OK 
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Are Browsers OK? 


■ Still no mixed content handling policy 

implemented by WebKit-based and Opera 

■ Firefox still doesn’t let WebWorkers create 
WebSockets 

■ Message sizes handled differently 
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Waldo demo 


■ Waldo is a simple tool based on websocketpp server built 
to demonstrate why WebSockets as a transport are better 
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Transparent Proxy if ws: 


eoo 


J\j Follow TCP Stream 


Stream Content 

GET http://echo.websocket.org/?encoding=text HTTP/1.1 
Host: echo.websocket.org 

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 
Firefox/13.0.1 

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-us,en;q=0.5 
Accept-Encoding: gzip, deflate 
DNT: 1 

Proxy-Connection: keep-alive 

Sec-WebSocket-Version: 13 

Origin: http://www.websocket.org 

Sec-WebSocket- Key: oGXFLf cPEzICodvwOldllg== 

Cookie: __utma=9925811.273635192.1342038680.1342125045.1342131528.6; __utmc=9925811; 

_utmz=9925811.1342064819.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic| 

utmctr=websocket?&20onerror; _utmb=9925811.2.10.1342131528 

Pragma: no-cache 
Cache-Control: no-cache 


HTTP/1 . 0 400 Bad Request 

Server: Kaazing Gateway 

Date: Thu, 12 Jul 2012 22:17:26 GMT 


Connection: Upgrade 




Access-Control-Allow-Origin : http: //www.websocket . org 
Access-Control-Allow-Credentials: true 


▼ 
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Looking for WS Security Issues 


■ How to inspect WS traffic 

■ How to manipulate WS traffic? 

■ Are there browser plugins to help? 

■ Are there proxies that support WebSockets? 
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WireShark 





_1_ 

419 14.330796000 

-I_ 

174 . 129 . 224.73 

420 14.330912000 

10 . 206 . 78.212 

421 14.330978000 

174 . 129 . 224.73 

422 14.331048000 

10 . 206 . 78.212 

2074 31.425446000 

10 . 206 . 78.212 

2075 31.512240000 

174 . 129 . 224.73 

2076 31.512402000 

10 . 206 . 78.212 

3133 38.675900000 

10 . 206 . 78.212 

3134 38.762414000 

174 . 129 . 224.73 


> 


3135 38.762583000 

3136 39.773511000 

000 


Mice! 




oo 


10 . 206 . 78.212 

10 . 206 . 78.212 

174 . 129 . 224.73 

10 . 206 . 78.212 


ftes on wire (608 bits 

> Ethernet IT7 Src: Meraki_02:2b:38 (00: 

> Interrpt Protocol Version 4 , Src: 174. 

> Transmission Control Protocol, Src Por 
Hypei text Transfer Protocol 

^ WebSocket 

0.= Fin: False 

.000 .... = Reserved: 0x00 

.... 0000 = Opcode: Continuation (0] 

0.= Mask: False 

.100 0010 = Payload length: 66 

Payload 


0 O O 

Stream Content 


|^j Follow TCP Stream 


Origin: http://www.websocket.org 

Cookie: __utma=9925811.1023894048.1333313328.1334902537.1342038739.5; 

_utmb=9925811.3.10.1342038739; __utmc=9925811; 

_utmz=9925811.1334902537.4.2.utmcsr=google|utmccn=(organic)|utmcmd=organic| 

utmctr=websocket ?! &20demo 

Sec-WebSocket-Key1: K385 2677d ?X Rlcc 5 7 

Sec-WebSocket-Key2: 214(7<z 4kxX '8? 15 9v 2-_ 

.g....y .HTTP/1. 1 101 Web Socket Protocol Handshake 
Upgrade: WebSocket 
Connection: Upgrade 

Sec-WebSocket-Origin : http://www.websocket . org 

Sec-WebSocket-Location : ws://echo.websocket.org/?encoding=text 

Server: Kaazing Gateway 

Date: Wed, 11 Jul 2012 20:36:06 GMT 

Access-Control-Allow-Origin : http : //www.websocket.org 
Access-Control-Allow-Credentials : true 
Access-Control-Allow-Headers : content-type 
Access-Control-Allow-Headers : authorization 
Access-Control-Allow-Headers: x-websocket-extensions 
Access-Control-Allow-Headers : x-websocket-version 
Access-Control-Allow-Headers : x-websocket-protocol 


.. .)I. 

now. 


.e.Z. ..FF. What's up, BlackHat 2012! . .What's up, BlackHat 2012!.. Bye nc 


Entire conversation (1145 bytes) 
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Fiddler Web Debugger 


Fiddler - HTTP Debugging Proxy 


|_o_|| S II 


X 


File £dit Rule* Tool* yiew Help J Donate 6ET /book 

__ *t Reolav V » ► Resume _ A Stream 'M Decode _ Keen: All se^mnt - Any Process & Ft^-d !*J. Save _L*a__ 

09:48:59:0495 Upgrading Session #2 to websocket 
09:49:33:3875 [WebSocket #2] Client->Server (25 bytes) 

TYPE: TEXT. 

MESSAGE: Are we there yet??? 

FLAGS: 10000001 DATA: 19 bytes, masked using KEY: A9-B4-6E-4B. 


09:49:33:4685 [WebSocket #2] Server->C I ient (21 bytes) 
TYPE: TEXT. 

MESSAGE: Are we there yet??? 

FLAGS: 10000001 DATA: 19 bytes. 

t jj , at System.Errvrcnment.get_StackTraceO 

i,i i y 4 j 

jjjjf Capturing -r Al Processes 1 / 2 This Is a Websocket tunnd to websocket,org:80\ Raw Bytes Out: 23; In: 19 
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Chrome Developer Tools 


O 1 

12ft 

( Elements ^ Resources Network 

lyi Scripts Timeline Profiles ^ 

^ Audits 

^ Console 


Name 

Path 


:<> 


□ 


victim.html 


ws: / / local host:9002 / 


O 


Headers Preview Response 


WebSocket Frames 


Time 


OpCode Mask Length Data 


1 

-» 2012-07-12T18:23:50.629Z 1 

true 

5 

ready 

2 

♦ 2012-07-12T18:23:55.146Z 1 

false 

16 

activate klogger 

3 

-* 2012-07-12T18:23:55.147Z 1 

true 

17 

klogger activated 

4 

♦- 2012-07-12T18:24:08.273Z 1 

false 

10 

keystrokes 

5 

2012-07-12T18:24:08.274Z 1 

true 

28 

SECRET PHRASE IS BEING TYPED 


2 requests I 380B transferred 


|P S= f Q j Documents Stylesheets Images Scripts XHR Fonts WebSockets Other 
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JavaScript overload 


WebSocket.prototype._send = WebSocket.prototype.send; 
WebSocket.prototype.send = function (data) { 
console.log("\u2192 " + data); 
this._send(data); 

this.addEventListener('message', function (msg) { 
console.log('\u2190 ' + msg.data); 

}, false); 

this.send = function (data) { 
this._send(data); 
console.log("\u2192 " + data); 

}; 
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Security of the tunneled protocol 


■ Outside of HTTP cookies, form-based auth, etc. 

■ Possible that devs create a protocol with basic security 
problems (e.g. “chat” with spoofable user ids, information 
leakage, crypto mistakes) 

■ Just waiting for mistakes to happen 

- using session cookies as chat IDs (visible to the recipient) 

- replay 

- spoofing 

- fragmentation, overlapping fragments 

- server-side buffer overflows, underflows 
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Wish You Were Here 


■ Unawareness of WebSocket protocol by security devices 
(firewalls, IDS, IPS) makes them ineffective against 
malicious traffic 

- Masking inhibits identifying patterns in traffic 

- Missing auxiliary data type information makes it even harder 

■ Covert channels, command & control 

- Resurrect Loki (Phrack 49) 

- Sources of entropy: reserved flags, length representations, 
mask 
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Fingerprinting & Fuzzing 


■ Hard-coded HTTP handshake on top of WebSocket 
server 

- not a “real” HTTP server 

- order/case/presence/absence of headers 

■ Reaction to reserved flags 

■ Reaction to reserved opcodes 
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Recommendations 


■ What it's good for 

- Time critical data delivery 

- Apps that require true bidirectional flow 

- Interactivity 

- Higher throughput 

■ What it doesn’t do 

- It doesn’t fix existing vulnerabilities 
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What makes them better 


Hacking with WebSockets 


50 



Deploy WebSockets Securely 


■ uh...? 

■ Capacity planning & measurement 

■ Assume the client isn’t a browser -- in other words, don’t 
trust it. 

■ Be careful when implementing the HTTP handshake. 

■ Watch out for Access-Control-Allow-Origin: * 
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Secure protocol for WebSockets 


■ wss : means secure transport, not secure app 

■ Remember security basics 

- Authn/Authz 

- Session identifiers 

- Server-side input validation 

- Resource exhaustion 

- Failure states 


0 QUALYS' 


52 


BLACK HAT USA 2012 


52 



Summary 


■ WebSockets solve connection problems, not security 
problems. 

■ Basic security principles still apply, especially for data 
frames’ content. 

■ “The new port 80 ” -- security devices have poor 
(nonexistent!?) awareness of the protocol. 
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Still evolving 


■ Draft updated as recently as July 2012, browser support 
still in flux. 

■ Contribute, adopt 

■ Update tools 

■ Create more JavaScript libraries 

■ Need more good protocol/libs/docs/debugging tools 
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Q&A 
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Thank You! 


